Currently I trust in this APP, but maybe in future I will not.
When I start this APP it should connect to a remote server : “xx.xx.xx.xx” and check my Crypto balance.
Currently I do not know which IP address is that, nor if there are another IP addresses.
All I want to know is how to see :
All active IP connections in this Qube.
After seeing active connections, I can whitelist only that connections in firewall.
In the future, if I download infected new updated Atomic application, this application wouldn’t be able to connect to a remote RAT server, because I whitelisted only Atomic Servers ??
Does this make any sense ? or I am thinking wrong.
Short info:
I am using Atomic Wallet since they were Beta version.
Never ever had any problem whit this wallet.
My Private keys and seed are very good protected since I do not download any new versions.
But now I want to download new version, because I want to have new Coins in my list, some coins in which I want to invest.
My version 1 had support for a top 5 Cryptos.
I know this version is not infected with any kind man-in-the-middle , or any kind of trojan.
So how can I inspect this app and limit my firewall only to those IPs ?
and what will happened if I downloaded infected app and my firewall is good configured ?
will attacker still have access to my seed , no-matter his server is not Whitelisted ???
thx to all who can help and more tnx to those how try to help
For seeing the active connections I think you’ll need some sort of linux network monitoring tool. But the next part it should be as simple as restricting that on the Qube’s firewall settings. The documentation should be self-explantory and by reading it it should answer most of your concerns:
If that doesn’t work for you, the check out this discussion:
Without knowing what you want to allow or block, it’s hard to know what is the best solution. What exactly are you trying to block (or allow). For example, what host names or IP addresses, what sort of connections (http, https, others?).
I want to have a VM in which I want to install one Program only (APP1).
Then, when I start this program, I want to see which IP connections this program uses (TCP & UDP), and then block all other connections.
But now I can not see my active connections in my VM (because I do not know how).
Let’s sey that APP1 uses only IP:
aa.aa.aa.aa and
bb.bb.bb.bb
for connecting to a Trusted remote Server
Then I want to enable only that IPs and block everything else.
Why?
My thinking is, if I downloaded malicious Updated version APP1_v.2 then this code would not be able to connect to a RAT server.
Or am I thinking wrong?
If I am thinking all this wrong, then I want to have a possibility to run any infected application and to clearly see all active IPs.
Nothing more.
The qubes firewall does not make the above limitation; it can be configured to allow more than one IP/host and block all others - just create additional entries.
You can get an idea of connections the qube makes with a tcpdump capture such as:
$ sudo tcpdump -i eth0 -n '((tcp[tcpflags]&tcp-syn!=0 and tcp[tcpflags]&tcp-ack=0) or udp) and (port domain or dst net not 10.0.0.0/8)'
... IP 10.137.0.15.49100 > 10.139.1.1.domain: 59319+ A? www.qubes-os.org. (34)
... IP 10.137.0.15.49100 > 10.139.1.1.domain: 7500+ AAAA? www.qubes-os.org. (34)
... IP 10.139.1.1.domain > 10.137.0.15.49100: 59319 1/0/0 A 185.199.108.153 (50)
... IP 10.139.1.1.domain > 10.137.0.15.49100: 7500 NXDomain 0/0/0 (34)
... IP 10.137.0.15.42740 > 185.199.108.153.https: Flags [S] ...
Explanation: show all TCP outgoing connections and UDP packets, as long as the destination is not a 10.x.y.z network…unless it’s a DNS request. The above was the result of curl https://www.qubes-os.org.
It would be better to capture everything to a file (add -w file.pcap), and analyze later in a graphical UI like Wireshark.
Once you have IP addresses, create the firewall rules.
As expected, it’s just an Electron app (it has an embedded Chromium browser + NodeJS) so it’s probably reaching out to HTTPS endpoints at atomicwallet’s web site.
This means not connect the VM to a NetVM, and then exec the AppImage with a --proxy-server http://127.0.0.1:8888 argument, and then follow the guide @Rooftop made @ Restricting a Qube to selected websites.
Also, if it matters to you, that AppImage does not embed a signature (--appimage-signature), nor does their website provide provide any signatures in the download location. sha256 hashes are provided, but the site is also behind CloudFlare.
